diff --git a/.flake8 b/.flake8 new file mode 100644 index 0000000..e1ed178 --- /dev/null +++ b/.flake8 @@ -0,0 +1,4 @@ +[flake8] +max-line-length = 88 +extend-ignore = E203 +exclude = .git diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9c882b7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +__pycache__/ +*.egg-info/ diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..9b1b7ee --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2023 The MITRE Corporation. All rights reserved + Approved for Public Release; Distribution Unlimited. Case Number 22-00195-SC4 + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index d4e8d92..5391558 100644 --- a/README.md +++ b/README.md @@ -1 +1,387 @@ -2023 eCTF Tools Release Branch +# 2023 MITRE eCTF Tools: Protected Automotive Remote Entry Device (PARED) +This repository contains tools to run MITRE's 2023 Embedded System CTF +(eCTF) design - see https://ectf.mitre.org/ for details. + +**Nothing in this repository should be modified in your design**. + +# Environment Setup + +**Required Software** +- Git +- Docker +- Python +- Stellaris ICDI Drivers +- UNIFLASH + +**Recommended Software** +- Visual Studio Code + - Python, C/C++, Cortex-Debug Extensions +- OpenOCD +- ARM GNU Toolchain + +## Required Software + +The following sections detail how to install the required software for this competition. + +### Package Managers + +It is important to note that some of these requirements can be installed via a package manager, and some of the install pages actually recommend it. A package manager is like an Appstore for your computer that runs on the commandline. + +NOTE: Package managers are not required and these tools can be installed through other means. Skip ahead if you wish to use other methods. + +Using a package manager can make the install process easier. + +To find the proper package name you can just search ` install` in your web browser. + +But first you need to install the proper package manager. + +**Windows: Chocolatey** + +Chocolatey is a package manager that can be installed on Windows. It has packages for most of the software you will need for eCTF. + +[https://docs.chocolatey.org/en-us/choco/setup](https://docs.chocolatey.org/en-us/choco/setup) + +**Mac: Homebrew** + +Homebrew is a preferred package manager for MacOS devices. It has install candidates for most of the software. It is even the prefered install method for some of the packages such as `git`. + +[https://brew.sh/](https://brew.sh/) + +**Ubuntu: apt** + +Linux, uses package managers by default. APT, or a different package manager, should already be installed on your system. + +[https://manpages.ubuntu.com/manpages/trusty/en/man8/apt.8.html](https://manpages.ubuntu.com/manpages/trusty/en/man8/apt.8.html) + +### Git +Git is an open-source version control system. It will allow your team to collaborate on a single code base while managing a history of all the changes you make. + +Git is required to submit your design for testing and progression to the Attack Phase. This makes it easy for the organizers to download your code for testing and allows your team to tag a specific version of your code you want to submit. + +**All Platforms** +[https://git-scm.com/downloads](https://git-scm.com/downloads) + +### Docker +Docker is a lightweight containerization system. It allows you to package all your tools with the software required to run them. + +Docker is used in the eCTF to create an environment for your host tools to execute in. This allows teams to use different programming languages, tools, or libraries during the Design Phase without requiring other teams to download additional software to use their design. Instead, each team will deliver a Dockerfile that builds an image capable of running all their tools. + +**All Platforms** +[https://docs.docker.com/get-docker/](https://docs.docker.com/get-docker/) + +### Python +Python is a highly readable language with substantial support, which makes it easy to get started with powerful development capability. Setting up a Python virtual environment makes it easy to handle dependencies. Python is used in the eCTF tools repository we provide, as well as our reference design example. The reference design requires Python 3.7 or above. + +**All Platforms** +There are many methods to install python on your system +- python.org: [https://www.python.org/downloads/](https://www.python.org/downloads/) +- pyenv: [https://github.com/pyenv/pyenv](https://github.com/pyenv/pyenv) +- other: [https://realpython.com/installing-python/](https://realpython.com/installing-python/) + +### Stellaris ICDI Drivers +The development board we will use for this competition is the Texas Instruments TM4C123G LaunchPad Evaluation Kit. You can find a lot of helpful resources on the product page at [https://www.ti.com/tool/EK-TM4C123GXL](https://www.ti.com/tool/EK-TM4C123GXL). + +The board has an integrated In-Circuit Debug Interface (ICDI). This is what is used to support programming and debugging of the hardware. To use it you need to install the correct drivers. + +**All Platforms** +[https://www.ti.com/tool/STELLARIS_ICDI_DRIVERS](https://www.ti.com/tool/STELLARIS_ICDI_DRIVERS) + +### UNIFLASH +To program the flash memory on the development board, you need to download a programmer. UNIFLASH is compatible with Windows, MacOS, and Linux. There is also an LMFLASHPROGRAMMER, but it has export restrictions and is only compatible with Windows. + +**All Platforms** +[https://www.ti.com/tool/UNIFLASH](https://www.ti.com/tool/UNIFLASH) + +## Recommended Software +The following sections detail how to install the recommended software for this competition. + +### ARM GNU Toolchain +Our custom build process for the embedded software that will be loaded onto the TI board will run in a Docker container. Therefore, it is not necessary to install a compiler on your local machine. However, it may be helpful to have if you want to do any local builds of your code or debug any build issues. A popular cross-compilation toolchain for ARM is the GNU Toolchain. + +**All Platforms** +[https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads](https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads) + +### Open OCD +Open On-Chip Debugger (OpenOCD) is an open-source tool that supports debugging through a JTAG interface on many development boards. OpenOCD can be used with the Cortex-Debug extension in Visual Studio Code to provide an interactive debugging environment for the Texas Instrument development board we will use. + +**All Platforms** +[https://openocd.org/pages/getting-openocd.html](https://openocd.org/pages/getting-openocd.html) + +**Usage** +Open OCD can be used with gdb (arm-none-eabi-gdb from the ARM GNU Toolchain) or it can be used with the Cortex-Debug extension in Visual Studio Code (instructions in following section). To use Open OCD without Visual Studio Code, do the following: +1. In a terminal, start Open OCD with `openocd -f interface/ti-icdi.cfg -f board/ti_ek-tm4c123gxl.cfg`. +2. In another terminal, start GDB with `arm-none-eabi-gdb -ex "target extended-remote localhost:3333"` + +### Visual Studio Code +While there are many good IDEs, we recommend using Visual Studio Code (VSCode) because of its support for in-IDE debugging through the Cortex-Debug extension. Additionally, it is easier to setup than other IDEs we have used. + +**All Platforms** +[https://code.visualstudio.com/download](https://code.visualstudio.com/download) + +#### Extensions +Extensions can be added to Visual Studio Code to add features that make it feel more like an IDE than a text editor. There are three extensions that we recommend. +- Python +- C/C++ +- Cortex-Debug + +**All Platforms** +[https://code.visualstudio.com/docs/editor/extension-marketplace](https://code.visualstudio.com/docs/editor/extension-marketplace) + +##### Cortex-Debug +To configure Visual Studio Code with the Cortex-Debug extension and OpenOCD, you will need to create a launch configuration in Visual Studio Code that tells the extension information about your debug session such as the source code location, the path to your OpenOCD executable, and the board configuration files for OpenOCD to use. + +In your design repository, an example debug launch configuration could look like this: +```json +{ + "version": "0.2.0", + "configurations": [ + { + "name": "Cortex Debug", + "cwd": "${workspaceFolder}", + "executable": "${workspaceRoot}/path/to/application.elf", + "armToolchainPath": "/path/to/arm-none-eabi/bin", + "request": "launch", + "type": "cortex-debug", + "runToEntryPoint": "main", + "servertype": "openocd", + "device": "TM4C123GH6PM", + "configFiles": [ + "interface/ti-icdi.cfg", + "board/ti_ek-tm4c123gxl.cfg" + ], + "svdFile": "${workspaceRoot}/debug/TM4C123GH6PM.svd" + } + ] +} +``` + +## eCTF Tools Setup + +Once you have Git, Docker, and python3 installed, you need to clone this tools repo and install it as a python package. We recommend using a [python virtual environment](https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/#creating-a-virtual-environment) +when installing packages for this competition. With your virtual environment activated, run the following: + +```shell +git clone +python3 -m pip install -e +``` + +You must also clone the insecure example repository. + +## Hardware Setup +To prepare your hardware for the eCTF competition, you will need to install a bootloader (written by the organizers) on the development boards. Additionally, for the design to function the boards need to be connected over a shared UART interface. + +### Custom Bootloader +Using UNIFLASH, you should load the bootloader found in this repository (bootloader/bootloader.bin) onto the Tiva development boards. The version found here is used for the Design Phase, and will be used to load your designs onto the board. During the Attack Phase, a functionally equivalent version will be used to load other teams' designs. + +### UART +The two Tiva development boards needs to be connected over a shared UART interface. +The boards should be connected as follows: + +| TM4C123G Pin | TM4C123G Pin | +| :--- | :--- | +| GND | GND | +| PB0 | PB1 | +| PB1 | PB0 | + +# Using the eCTF Tools Repository + +### Getting Debug Information + +When running any of the steps below, you can provide `--debug` between the +`ectf_tools` and `.` portions of the command. For example: + +```shell +python3 -m ectf_tools --debug build.env --design --name +``` + +### 1. Build +There are four stages to the build process. Each stage produces a functional +part of the system, whether it be an execution environment, system-wide secrets, +devices, or host tools. + +#### 1a. `build.env` +```shell +python3 -m ectf_tools build.env --design --name +``` + +This builds a Docker image that will be used to create build and run +environments for the system. Each subsequent step will be run in temporary +containers, where all inputs are provided via read-only volumes, and outputs are +stored on writable volumes. The environment build step will only be run once +ever and **the resulting image will be distributed to teams**. + +During development, you only need to change this whenever you need to +change the environment (e.g., adding a package). + +This step will build a docker container based on the Dockerfile in the design +repo. + +#### 1b. `build.tools` +```shell +python3 -m ectf_tools build.tools --design --name +``` + +This step creates a volume containing host tools that will be used when running +the system. You must pass the path to the design repo as an argument, and the +eCTF tools will invoke your host tools makefile. In the insecure example, the +host tools are simply copied to the output volume as they are implemented in +python scripts and do not need to be compiled. + +#### 1c. `build.depl` +```shell +python3 -m ectf_tools build.depl --design --name --deployment +``` + +This step generates system-wide secrets for a specific instance of the system +(i.e., a deployment). The eCTF tools will invoke the design deployment Makefile, +where secrets can be stored on a specific output volume. + +#### 1d. `build.car_fob_pair` +```shell +python3 -m ectf_tools build.car_fob_pair --design --name --deployment --car-out --fob-out --car-name --fob-name --car-id --pair-pin +``` + +This step builds car and pre-paired fob binaries that can be loaded into the +development boards. The eCTF tools will invoke the design device Makefile in the +appropriate folder, which places the firmware binary and EEPROM contents in an +output volume. This step also packages the firmware and EEPROM contents together +so they can be loaded into the device. + +#### 1d. `build.fob` +```shell +python3 -m ectf_tools build.fob --design --name --deployment --fob-out --fob-name +``` + +This step builds an unpaired fob binary that can be loaded into the +development board. The eCTF tools will invoke the design device Makefile in the +`fob` folder, which places the firmware binary and EEPROM contents in an +output volume. This step also packages the firmware and EEPROM contents together +so they can be loaded into the device. + + +### 2. Load and Launch Device + +Follow these steps load binaries onto a device and open a connection for the +host tools. + +#### 2a. `device.load_hw` + +The load stage loads a packaged device binary+EEPROM into a target device. The +`build.car_fob_pair` and `build.fob` steps must already have been run before +running this step. + +Plug a device with the bootloader installed into your computer, and hold down +the right button while turning on the power. The device will slowly flash a +cyan LED, indicating it is ready to install firmware. Figure out the serial port +in your computer that the board is connected to (windows device manager or +linux/mac `dmesg`), then start the device load step: + +```shell +python3 -m ectf_tools device.load_hw --dev-in --dev-name --dev-serial +``` + +When the install finishes, the cyan LED will be solid. Now, power cycle the +device, and the LED should be solid green, showing that the firmware is running. + + +#### 2b. `device.bridge` +```shell +python3 -m ectf_tools device.bridge --bridge-id --dev-serial +``` + +The device bridge step launches a connection between a specific serial port +(for a device) and an INET socket (for the host tools). This step will actively +run in a terminal window, so you should open a separate window for this step. +The bridge must be running for the host tools to interact with the device. + +### 3. Run + +#### 3a. `run.unlock` +```shell +python3 -m ectf_tools run.unlock --name --car-bridge +``` + +This run step invokes the unlock host tool, which connects to a car to receive messages over UART. + +#### 3b. `run.pair` +```shell +python3 -m ectf_tools run.pair --name --unpaired-fob-bridge --paired-fob-bridge --pair-pin +``` + +The run step invokes the pair host tool, which connects to a paired fob and an unpaired fob. + + +#### 3c. `run.package` +```shell +python3 -m ectf_tools run.package --name --deployment --package-out --package-name --car-id --feature-number +``` + +This run step invokes the package host tool, which generates a package file +with name package-name in the directory package-out. This step utilizes the inputs +car-id and feature-number as well as shared secrets to generate a package. + +#### 3d. `run.enable` +```shell +python3 -m ectf_tools run.enable --name --fob-bridge --package_in --package_name +``` + +This run step invokes the enable host tool, which reads in a previously created +feature package and enables that feature on the connected fob. + +# Additional Tips + +### Docker +To view all running Docker containers: +```shell +docker ps +``` + +To kill the Docker container with process ID 12345: +```shell +docker kill 12345 +``` + +To kill all Docker containers: +```shell +docker kill $(docker ps -q) +``` +You can streamline this by adding `alias dockerka='docker kill $(docker ps -q)'` to your `.bashrc`. + +To run a command in the Docker container `test:deployment`: +```shell +docker run test:deployment echo "this echo command will be run in the container" +``` + +Docker can chew up disk space, so if you need to reclaim some, first clean up unused +containers and volumes +```shell +docker container prune +docker volume prune +``` + +If that isn't enough, you can clean up all containers and volumes: +```shell +docker container prune -a +docker volume prune -a +``` +NOTE: these will remove all of the cached containers, so the next builds may take a longer time + +These are some helpful commands to have handy when managing your docker state: + +- **Kill all docker containers**: `docker kill $(docker ps -q)` +- **Kill the process in your window**: `CTRL-C` +- **Suspend the process in your window**: `CTRL-Z` + - **Note:** Make sure to kill the process after! + +### udev Rules (Linux Only) +It is helpful to create custom udev rules for the Tiva boards used in the competition. +This allows for static naming between board resets. These should be placed in: +/etc/udev/rules.d/10-local.rules + +``` +ACTION=="add", ATTRS{idVendor}=="1cbe", ATTRS{idProduct}=="00fd", ATTRS{serial}=="0E2340C0", SYMLINK+="board_2" +ACTION=="add", ATTRS{idVendor}=="1cbe", ATTRS{idProduct}=="00fd", ATTRS{serial}=="0E235955", SYMLINK+="board_1" +``` + +The ATTRS{serial} should be replaced by your boards unique serial number. +This can be found with udevadm info {/dev/tty{DEV_BOARD}} on Linux. diff --git a/bootloader/bootloader.bin b/bootloader/bootloader.bin new file mode 100644 index 0000000..82827c3 Binary files /dev/null and b/bootloader/bootloader.bin differ diff --git a/bootloader/bootloader.elf b/bootloader/bootloader.elf new file mode 100644 index 0000000..ef4cf42 Binary files /dev/null and b/bootloader/bootloader.elf differ diff --git a/ectf_tools/__init__.py b/ectf_tools/__init__.py new file mode 100644 index 0000000..c74cd74 --- /dev/null +++ b/ectf_tools/__init__.py @@ -0,0 +1,20 @@ +# 2023 eCTF +# Kyle Scaplen +# +# (c) 2023 The MITRE Corporation +# +# This source file is part of an example system for MITRE's 2023 Embedded +# CTF (eCTF). This code is being provided only for educational purposes for the +# 2023 MITRE eCTF competition, and may not meet MITRE standards for quality. +# Use this code at your own risk! + +__all__ = ["CmdFailedError", "get_logger", "HandlerTy", "HandlerRet", "subparsers"] + + +from ectf_tools.utils import ( + CmdFailedError, + get_logger, + HandlerTy, + HandlerRet, +) +from ectf_tools.subparsers import subparsers diff --git a/ectf_tools/__main__.py b/ectf_tools/__main__.py new file mode 100644 index 0000000..bda62ee --- /dev/null +++ b/ectf_tools/__main__.py @@ -0,0 +1,60 @@ +# 2023 eCTF +# Kyle Scaplen +# +# (c) 2023 The MITRE Corporation +# +# This source file is part of an example system for MITRE's 2023 Embedded +# CTF (eCTF). This code is being provided only for educational purposes for the +# 2023 MITRE eCTF competition, and may not meet MITRE standards for quality. +# Use this code at your own risk! + +import importlib +import asyncio +import logging + +from tap import Tap + +from ectf_tools import subparsers, get_logger, CmdFailedError, HandlerTy + + +class Args(Tap): + debug: bool = False # whether to enable debug logging + + def configure(self): + self.add_subparsers(dest="cmd", required=True) + for flag, subparser in subparsers.items(): + self.add_subparser(flag, subparser, help=subparser.__doc__) # noqa + + +async def async_main(): + args = Args(underscores_to_dashes=True).parse_args() + + # set up logger + logging.basicConfig( + format="%(levelname)s %(asctime)s %(message)s", + level=logging.DEBUG if args.debug else logging.INFO, + ) + logger = get_logger() + + # get command handler + + package, func = args.cmd.split(".") # noqa + handler: HandlerTy = getattr(importlib.import_module(f"ectf_tools.{package}"), func) + + # call command handler + kwargs = args.as_dict() + del kwargs["cmd"] + if "debug" in kwargs: + del kwargs["debug"] + try: + await handler(**kwargs, logger=logger) + except CmdFailedError as e: + exit(f"Error: {e.args[0]}") + + +def main(): + asyncio.run(async_main()) + + +if __name__ == "__main__": + main() diff --git a/ectf_tools/build.py b/ectf_tools/build.py new file mode 100644 index 0000000..4bb454c --- /dev/null +++ b/ectf_tools/build.py @@ -0,0 +1,367 @@ +# 2023 eCTF +# Kyle Scaplen +# +# (c) 2023 The MITRE Corporation +# +# This source file is part of an example system for MITRE's 2023 Embedded +# CTF (eCTF). This code is being provided only for educational purposes for the +# 2023 MITRE eCTF competition, and may not meet MITRE standards for quality. +# Use this code at your own risk! + +import logging + +import docker +import docker.errors +from docker.utils import tar +from pathlib import Path + +from ectf_tools.utils import run_shell, get_logger, zip_step_returns, HandlerRet +from ectf_tools.device import FW_FLASH_SIZE, FW_EEPROM_SIZE +from ectf_tools.subparsers import ( + SubparserBuildEnv, + SubparserBuildTools, + SubparserBuildDepl, + SubparserBuildCarFobPair, + SubparserBuildFob, +) + + +async def env( + design: Path, + name: str, + image: str = SubparserBuildEnv.image, + docker_dir: Path = SubparserBuildEnv.docker_dir, + dockerfile: str = SubparserBuildEnv.dockerfile, + logger: logging.Logger = None, +) -> HandlerRet: + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"Building image {tag}") + + # Add build directory to context + build_dir = design.resolve() / docker_dir + dockerfile_name = build_dir / dockerfile + with open(dockerfile_name, "r") as df: + dockerfile = ("Dockerfile", df.read()) + dockerfile = tar(build_dir, dockerfile=dockerfile) + + # run docker build + client = docker.from_env() + try: + _, logs_raw = client.images.build( + tag=tag, fileobj=dockerfile, custom_context=True, + ) + except docker.errors.BuildError as e: + logger.error(f"Docker build error: {e}") + for log in e.build_log: + if "stream" in log and log["stream"].strip(): + logger.error(log["stream"].strip()) + raise + logger.info(f"Built image {tag}") + + logs = "".join([d["stream"] for d in list(logs_raw) if "stream" in d]) + logging.debug(logs) + return logs.encode(), b"" + + +async def tools( + design: Path, + name: str, + image: str = SubparserBuildTools.image, + tools_in: Path = SubparserBuildTools.tools_in, + logger: logging.Logger = None, +) -> HandlerRet: + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"{tag}: Building tools") + tool_dir = str(design.resolve() / tools_in) + output = await run_shell( + "docker run" + f" -v {tool_dir}:/tools_in:ro" + f" -v {image}.{name}.tools.vol:/tools_out" + " --workdir=/tools_in" + f" {tag} make TOOLS_OUT_DIR=/tools_out" + ) + logger.info(f"{tag}: Built tools") + return output + + +async def depl( + design: Path, + name: str, + deployment: str, + image: str = SubparserBuildDepl.image, + depl_in: Path = SubparserBuildDepl.depl_in, + logger: logging.Logger = None, +) -> HandlerRet: + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"{tag}: Building deployment {deployment}") + depl_dir = str(design.resolve() / depl_in) + output = await run_shell( + "docker run" + f" -v {depl_dir}:/depl_in:ro" + f" -v {image}.{name}.{deployment}.secrets.vol:/secrets" + " --workdir=/depl_in" + f" {tag} make SECRETS_DIR=/secrets" + ) + logger.info(f"{tag}: Built deployment {deployment}") + return output + + +async def car_fob_pair( + design: Path, + name: str, + deployment: str, + car_name: str, + fob_name: str, + car_out: Path, + fob_out: Path, + car_id: int, + pair_pin: int, + car_in: Path = SubparserBuildCarFobPair.car_in, + fob_in: Path = SubparserBuildCarFobPair.fob_in, + car_unlock_secret: str = SubparserBuildCarFobPair.car_unlock_secret, + car_feature1_secret: str = SubparserBuildCarFobPair.car_feature1_secret, + car_feature2_secret: str = SubparserBuildCarFobPair.car_feature2_secret, + car_feature3_secret: str = SubparserBuildCarFobPair.car_feature3_secret, + image: str = SubparserBuildCarFobPair.image, + logger: logging.Logger = None, +) -> HandlerRet: + """ + Build car and paired fob pair + """ + + # Image information + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"{tag}:{deployment}: Building car {car_name}") + + # Car defines + car_defines = f" CAR_ID={car_id}" + + # Build car + car_output = await make_dev( + image=image, + name=name, + design=design, + deployment=deployment, + dev_name=car_name, + dev_in=car_in, + dev_out=car_out, + defines=car_defines, + make_target="car", + logger=logger, + replace_secrets=True, + unlock_secret=car_unlock_secret, + feature1_secret=car_feature1_secret, + feature2_secret=car_feature2_secret, + feature3_secret=car_feature3_secret, + ) + + # Fob defines + fob_defines = f" CAR_ID={car_id}" f" PAIR_PIN={pair_pin}" + + # Build fob + fob_output = await make_dev( + image=image, + name=name, + design=design, + deployment=deployment, + dev_name=fob_name, + dev_in=fob_in, + dev_out=fob_out, + defines=fob_defines, + make_target="paired_fob", + logger=logger, + replace_secrets=False, + ) + + return zip_step_returns([car_output, fob_output]) + + +async def fob( + design: Path, + name: str, + deployment: str, + fob_name: str, + fob_out: Path, + image: str = SubparserBuildFob.image, + fob_in: Path = SubparserBuildFob.fob_in, + logger: logging.Logger = None, +) -> HandlerRet: + """ + Build unpaired fob firmware + """ + + # Image information + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"{tag}:{deployment}: Building unpaired fob {fob_name}") + + # Unpaired fob defines + fob_defines = "" + + # Build fob + output = await make_dev( + image=image, + name=name, + design=design, + deployment=deployment, + dev_name=fob_name, + dev_in=fob_in, + dev_out=fob_out, + defines=fob_defines, + make_target="unpaired_fob", + logger=logger, + replace_secrets=False, + ) + + return output + + +async def make_dev( + image: str, + name: str, + design: str, + deployment: str, + dev_name: str, + dev_in: Path, + dev_out: Path, + defines: str, + make_target: str, + logger: logging.Logger, + replace_secrets: bool, + unlock_secret: str = "Car Unlocked", + feature1_secret: str = "Feature 1 Enabled: Heated Seats", + feature2_secret: str = "Feature 2 Enabled: Extended Range", + feature3_secret: str = "Feature 3 Enabled: Valet Mode", +) -> HandlerRet: + """ + Build device firmware + """ + tag = f"{image}:{name}" + + # Setup full container paths + bin_path = f"/dev_out/{dev_name}.bin" + elf_path = f"/dev_out/{dev_name}.elf" + eeprom_path = f"/dev_out/{dev_name}.eeprom" + dev_in = (design / dev_in).resolve() + dev_out = dev_out.resolve() + + # Create output directory + if not dev_out.exists(): + logger.info(f"{tag}:{deployment}: Making output directory {dev_out}") + dev_out.mkdir() + + # Compile + output = await run_shell( + "docker run" + f" -v {str(dev_in)}:/dev_in:ro" + f" -v {str(dev_out)}:/dev_out" + f" -v {image}.{name}.{deployment}.secrets.vol:/secrets" + " --workdir=/root" + f" {tag} /bin/bash -c" + ' "' + " cp -r /dev_in/* /root/ &&" + f" make {make_target}" + f" {defines}" + f" SECRETS_DIR=/secrets" + f" BIN_PATH={bin_path}" + f" ELF_PATH={elf_path}" + f" EEPROM_PATH={eeprom_path}" + '"' + ) + + logger.info(f"{tag}:{deployment}: Built device {dev_name}") + + # Package image, eeprom, and secret + logger.info(f"{tag}:{deployment}: Packaging image for device {dev_name}") + bin_path = dev_out / f"{dev_name}.bin" + eeprom_path = dev_out / f"{dev_name}.eeprom" + image_path = dev_out / f"{dev_name}.img" + + package_device( + bin_path, + eeprom_path, + image_path, + replace_secrets, + unlock_secret, + feature1_secret, + feature2_secret, + feature3_secret, + ) + + logger.info(f"{tag}:{deployment}: Packaged device {dev_name} image") + + return output + + +def package_device( + bin_path: Path, + eeprom_path: Path, + image_path: Path, + replace_secrets: bool, + unlock_secret: str, + feature1_secret: str, + feature2_secret: str, + feature3_secret: str, +): + """ + Package a device image for use with the bootstrapper + + Accepts up to 64 bytes (encoded in hex) to insert as a secret in EEPROM + """ + # Read input bin file + bin_data = bin_path.read_bytes() + + # Pad bin data to max size + image_bin_data = bin_data.ljust(FW_FLASH_SIZE, b"\xff") + + # Read EEPROM data + eeprom_data = eeprom_path.read_bytes() + + # Pad EEPROM to max size + image_eeprom_data = eeprom_data.ljust(FW_EEPROM_SIZE, b"\xff") + + # Put secrets in EEPROM if used + if replace_secrets: + # Convert secrets to bytes + unlock_secret = unlock_secret.encode() + feature1_secret = feature1_secret.encode() + feature2_secret = feature2_secret.encode() + feature3_secret = feature3_secret.encode() + + # Check secret lengths + if len(unlock_secret) > 64: + raise Exception(f"Unlock secret too long ({len(unlock_secret)} > 64)") + + if len(feature1_secret) > 64: + raise Exception(f"Feature 1 secret too long ({len(feature1_secret)} > 64)") + + if len(feature2_secret) > 64: + raise Exception(f"Feature 2 secret too long ({len(feature2_secret)} > 64)") + + if len(feature3_secret) > 64: + raise Exception(f"Feature 3 secret too long ({len(feature3_secret)} > 64)") + + # Pad secrets to 64 bytes + unlock_secret = unlock_secret.ljust(64, b".") + feature1_secret = feature1_secret.ljust(64, b".") + feature2_secret = feature2_secret.ljust(64, b".") + feature3_secret = feature3_secret.ljust(64, b".") + + # Replace end of EEPROM data with secret values + image_eeprom_data = ( + image_eeprom_data[: FW_EEPROM_SIZE - 256] + + feature3_secret + + feature2_secret + + feature1_secret + + unlock_secret + ) + + # Create phys_image.bin + image_data = image_bin_data + image_eeprom_data + + # Write output binary + image_path.write_bytes(image_data) diff --git a/ectf_tools/device.py b/ectf_tools/device.py new file mode 100644 index 0000000..c44ae34 --- /dev/null +++ b/ectf_tools/device.py @@ -0,0 +1,527 @@ +# 2023 eCTF +# Kyle Scaplen +# +# (c) 2023 The MITRE Corporation +# +# This source file is part of an example system for MITRE's 2023 Embedded +# CTF (eCTF). This code is being provided only for educational purposes for the +# 2023 MITRE eCTF competition, and may not meet MITRE standards for quality. +# Use this code at your own risk! + +import asyncio +import logging +import socket +import select +from enum import Enum +from pathlib import Path +from rich.progress import Progress +from typing import Optional + +from serial import Serial +from serial.tools import list_ports +from serial.serialutil import SerialException + +from ectf_tools.utils import CmdFailedError, get_logger, HandlerRet, SOCKET_BASE + + +""" +Device Image Sizes +""" + +BLOCK_SIZE = 16 +PAGE_SIZE = 1024 + +FLASH_PAGES = 256 +FLASH_SIZE = FLASH_PAGES * PAGE_SIZE +EEPROM_PAGES = 2 +EEPROM_SIZE = EEPROM_PAGES * PAGE_SIZE + +FW_FLASH_PAGES = 110 +FW_FLASH_SIZE = FW_FLASH_PAGES * PAGE_SIZE +FW_FLASH_BLOCKS = FW_FLASH_SIZE // BLOCK_SIZE + +FW_EEPROM_PAGES = 2 +FW_EEPROM_SIZE = FW_EEPROM_PAGES * PAGE_SIZE +FW_EEPROM_BLOCKS = FW_EEPROM_SIZE // BLOCK_SIZE + +TOTAL_FW_SIZE = FW_FLASH_SIZE + FW_EEPROM_SIZE +TOTAL_FW_PAGES = FW_FLASH_PAGES + FW_EEPROM_PAGES +TOTAL_FW_BLOCKS = FW_FLASH_BLOCKS + FW_EEPROM_BLOCKS + + +class BootloaderResponseCode(Enum): + RequestUpdate = b"\x00" + StartUpdate = b"\x01" + UpdateInitFlashEraseOK = b"\x02" + UpdateInitEEPROMEraseOK = b"\x03" + UpdateInitEEPROMEraseError = b"\x04" + AppBlockInstallOK = b"\x05" + AppBlockInstallError = b"\x06" + EEPROMBlockInstallOK = b"\x07" + EEPROMBlockInstallError = b"\x08" + AppInstallOK = b"\x09" + AppInstallError = b"\x0a" + + +secure_bl_success_codes = list(range(0, 18)) +secure_bl_error_codes = list(range(18, 26)) +SECURE_BL_UPDATE_COMMAND = b"\x00" + +secure_bl_mode_change_success_codes = list(range(0, 8)) +secure_bl_mode_change_error_codes = list(range(8, 9)) +SECURE_BL_MODE_CHANGE_COMMAND = b"\x00" + + +def get_serial_port(): + orig_ports = set(list_ports.comports()) + while True: + ports = set(list_ports.comports()) + new_ports = ports - orig_ports + + if len(new_ports) == 1: + new_port = new_ports.pop() + return new_port.device + + orig_ports = ports + + +def verify_resp(ser: Serial, expected: BootloaderResponseCode): + resp = ser.read(1) + while resp == b"": + resp = ser.read(1) + + assert BootloaderResponseCode(resp) == expected + + +def verify_sec_resp(ser: Serial, print_out: bool = True, logger: logging.Logger = None): + resp = ser.read(1) + while (resp == b"") or ( + not ord(resp) in (secure_bl_success_codes + secure_bl_error_codes) + ): + resp = ser.read(1) + + logger = logger or get_logger() + + if ord(resp) not in secure_bl_success_codes: + logger.error(f"Bootloader responded with: {ord(resp)}") + raise ValueError() + if print_out: + logger.info(f"Success. Bootloader responded with code {ord(resp)}") + + return ord(resp) + + +def verify_mode_change_resp( + ser: Serial, dev_num: int, print_out: bool = True, logger: logging.Logger = None +): + resp = ser.read(1) + while (resp == b"") or ( + not ord(resp) + in (secure_bl_mode_change_success_codes + secure_bl_mode_change_error_codes) + ): + resp = ser.read(1) + + logger = logger or get_logger() + + if ord(resp) not in secure_bl_mode_change_success_codes: + logger.error(f"Bootloader {dev_num} responded with: {ord(resp)}") + raise ValueError() + if print_out: + logger.info(f"Success. Bootloader {dev_num} responded with code {ord(resp)}") + + return ord(resp) + + +async def load_hw( + dev_in: Path, dev_name: str, dev_serial: str, logger: logging.Logger = None, +) -> HandlerRet: + # Usage: Turn on the device holding SW2, then start this script + + logger = logger or get_logger() + + # Set up file references + image_path = dev_in / f"{dev_name}.img" + + # Try to connect to the serial port + logger.info(f"Connecting to serial port {dev_serial}...") + ser = Serial(dev_serial, 115200, timeout=2) + ser.reset_input_buffer() + logger.info(f"Connection opened on {dev_serial}") + + # Open firmware + logger.info("Reading image file...") + if not image_path.exists(): + ser.close() + raise CmdFailedError(f"Image file {image_path} not found") + + fw_data = image_path.read_bytes() + fw_size = len(fw_data) + if fw_size != TOTAL_FW_SIZE: + ser.close() + raise CmdFailedError( + f"Invalid image size 0x{fw_size:X}. Expected 0x{TOTAL_FW_SIZE:X}" + ) + + # Wait for bootloader ready + logger.info("Requesting update...") + ser.write(BootloaderResponseCode.RequestUpdate.value) + try: + verify_resp(ser, BootloaderResponseCode.StartUpdate) + except AssertionError: + ser.close() + raise CmdFailedError("Bootloader did not start an update") + + # Wait for Flash erase + logger.info("Waiting for Flash Erase...") + try: + verify_resp(ser, BootloaderResponseCode.UpdateInitFlashEraseOK) + except AssertionError: + ser.close() + raise CmdFailedError("Error while erasing Flash") + + # Wait for EEPROM erase + logger.info("Waiting for EEPROM Erase...") + try: + verify_resp(ser, BootloaderResponseCode.UpdateInitEEPROMEraseOK) + except AssertionError: + ser.close() + raise CmdFailedError("Error while erasing EEPROM") + + # Send data in 16-byte blocks + logger.info("Sending firmware...") + total_bytes = len(fw_data) + block_count = 0 + i = 0 + with Progress() as progress: + task = progress.add_task("Sending firmware...", total=total_bytes) + while i < total_bytes: + block_bytes = fw_data[i : i + BLOCK_SIZE] # noqa + ser.write(block_bytes) + + try: + if block_count < FW_FLASH_BLOCKS: + verify_resp(ser, BootloaderResponseCode.AppBlockInstallOK) + else: + verify_resp(ser, BootloaderResponseCode.EEPROMBlockInstallOK) + except AssertionError: + ser.close() + raise CmdFailedError(f"Install failed at block {block_count+1}") + + i += BLOCK_SIZE + block_count += 1 + progress.update(task, advance=len(block_bytes)) + + try: + verify_resp(ser, BootloaderResponseCode.AppInstallOK) + except AssertionError: + ser.close() + raise CmdFailedError("Image Failed to Install") + + logger.info("Image Installed") + return b"", b"" + + +async def load_sec_hw( + dev_in: Path, dev_name: str, dev_serial: str, logger: logging.Logger = None, +) -> HandlerRet: + # Usage: Turn on the device holding SW2, then start this script + + logger = logger or get_logger() + + # Set up file references + image_path = dev_in / f"{dev_name}.img" + + # Try to connect to the serial port + logger.info(f"Connecting to serial port {dev_serial}...") + ser = Serial(dev_serial, 115200, timeout=2) + ser.reset_input_buffer() + logger.info(f"Connection opened on {dev_serial}") + + # Open firmware + logger.info("Reading image file...") + if not image_path.exists(): + ser.close() + raise CmdFailedError(f"Image file {image_path} not found") + + fw_data = image_path.read_bytes() + + # Wait for bootloader ready + logger.info("Requesting update...") + ser.write(SECURE_BL_UPDATE_COMMAND) + + resp = -1 + while resp != secure_bl_success_codes[2]: + try: + resp = verify_sec_resp(ser, logger=logger) + except ValueError: + ser.close() + raise CmdFailedError("Load HW Failed") + + # Send data in 16-byte blocks + logger.info("Update started") + total_bytes = len(fw_data) + block_count = 0 + i = 0 + + with Progress() as progress: + task = progress.add_task("Sending firmware...", total=total_bytes) + while i < total_bytes: + block_bytes = fw_data[i : i + BLOCK_SIZE] + ser.write(block_bytes) + try: + verify_sec_resp(ser, print_out=False, logger=logger) + except ValueError: + ser.close() + raise CmdFailedError(f"Install failed at block {block_count+1}") + + i += BLOCK_SIZE + block_count += 1 + progress.update(task, advance=len(block_bytes)) + + logger.info("Listening for update status...") + resp = -1 + while resp != secure_bl_success_codes[-1]: + try: + resp = verify_sec_resp(ser, logger=logger) + except AssertionError: + ser.close() + raise CmdFailedError("Image Failed to Install") + + logger.info("Image Installed") + return b"", b"" + + +async def mode_change( + dev1_serial: str, dev2_serial: str, logger: logging.Logger = None +): + logger = logger or logging.getLogger() + + # Open serial ports + ser1 = Serial(dev1_serial, 115200, timeout=2) + ser1.reset_input_buffer() + + ser2 = Serial(dev2_serial, 115200, timeout=2) + ser2.reset_input_buffer() + + logger.info(f"Connected to bootloaders on {dev1_serial} and {dev2_serial}") + + # Wait for bootloader ready + logger.info("Requesting mode change") + ser1.write(SECURE_BL_MODE_CHANGE_COMMAND) + ser2.write(SECURE_BL_MODE_CHANGE_COMMAND) + verify_mode_change_resp(ser1, 1, logger=logger) + verify_mode_change_resp(ser2, 2, logger=logger) + + # Receive data + d1 = ser1.read(32) + verify_mode_change_resp(ser1, 1, logger=logger) + d2 = ser2.read(32) + verify_mode_change_resp(ser2, 2, logger=logger) + + # Forward data + ser1.write(d2) + verify_mode_change_resp(ser1, 1, logger=logger) + ser2.write(d1) + verify_mode_change_resp(ser2, 2, logger=logger) + + # Receive data + d1 = ser1.read(32) + verify_mode_change_resp(ser1, 1, logger=logger) + d2 = ser2.read(32) + verify_mode_change_resp(ser2, 2, logger=logger) + + # Forward data + ser1.write(d2) + verify_mode_change_resp(ser1, 1, logger=logger) + ser2.write(d1) + verify_mode_change_resp(ser2, 2, logger=logger) + + # Try receiving d2 first + d2 = ser2.read(32) + if len(d2) == 32: + # Continue, forward d2 to d1 + verify_mode_change_resp(ser2, 2, logger=logger) + ser1.write(d2) + verify_mode_change_resp(ser1, 1, logger=logger) + + # Receive from d1 + d1 = ser1.read(32) + verify_mode_change_resp(ser1, 1, logger=logger) + ser2.write(d1) + verify_mode_change_resp(ser2, 2, logger=logger) + else: + # Need to receive d1 first + d1 = ser1.read(32) + verify_mode_change_resp(ser1, 1, logger=logger) + ser2.write(d1) + verify_mode_change_resp(ser2, 2, logger=logger) + + # Receive from d2 + d2 = ser2.read(32) + verify_mode_change_resp(ser2, 2, logger=logger) + ser1.write(d2) + verify_mode_change_resp(ser1, 1, logger=logger) + + logger.info("Mode Change Complete") + return b"", b"" + + +class Port: + def __init__(self, device_serial: str, baudrate=115200, log_level=logging.INFO): + self.device_serial = device_serial + self.baudrate = baudrate + self.ser = None + + # Set up logger + self.logger = logging.getLogger(f"{device_serial}_log") + self.logger.info(f"Ready to connect to device on serial {self.device_serial}") + + def active(self) -> bool: + # If not connected, try to connect to serial device + if not self.ser: + try: + ser = Serial(self.device_serial, baudrate=self.baudrate, timeout=0.1) + ser.reset_input_buffer() + self.ser = ser + self.logger.info(f"Connection opened on {self.device_serial}") + except (SerialException, OSError): + pass + return bool(self.ser) + + def read_msg(self) -> Optional[bytes]: + if not self.active(): + return None + + try: + msg = self.ser.read() + if msg != b"": + return msg + return None + except (SerialException, OSError): + self.close() + return None + + def send_msg(self, msg: bytes) -> bool: + if not self.active(): + return False + + try: + self.ser.write(msg) + return True + except (SerialException, OSError): + self.close() + return False + + def close(self): + self.logger.warning(f"Connection closed on {self.device_serial}") + self.ser = None + + +class Sock: + def __init__(self, bridge_id: int, q_len=1, log_level=logging.INFO): + self.bridge_id = bridge_id + + # Set up socket + self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.sock.bind(("0.0.0.0", int(bridge_id))) + self.sock.listen(q_len) + self.csock = None + + # Set up logger + self.logger = logging.getLogger(f"{bridge_id}_log") + self.logger.info(f"Ready to connect to socket on port {self.bridge_id}") + + @staticmethod + def sock_ready(sock: socket.SocketType) -> bool: + ready, _, _ = select.select([sock], [], [], 0) + return bool(ready) + + def active(self) -> bool: + # Try to accept new client + if not self.csock: + if self.sock_ready(self.sock): + self.logger.info(f"Connection opened on {self.bridge_id}") + self.csock, _ = self.sock.accept() + return bool(self.csock) + + def read_msg(self) -> Optional[bytes]: + if not self.active(): + return None + + try: + if self.sock_ready(self.csock): + data = self.csock.recv(4096) + + # Connection closed + if not data: + self.close() + return None + + return data + return None + except (ConnectionResetError, BrokenPipeError): + # Cleanly handle forced closed connection + self.close() + return None + + def send_msg(self, msg: bytes) -> bool: + if not self.active(): + return False + + try: + self.csock.sendall(msg) + return True + except (ConnectionResetError, BrokenPipeError): + # Cleanly handle forced closed connection + self.close() + return False + + def close(self): + self.logger.warning(f"Conection closed on {self.bridge_id}") + self.csock = None + + +def poll_bridge(host_sock: Sock, serial_port: Port): + if host_sock.active(): + msg = host_sock.read_msg() + + # Send message to device + if serial_port.active(): + if msg is not None: + serial_port.send_msg(msg) + + if serial_port.active(): + msg = serial_port.read_msg() + + # Send message to host + if host_sock.active(): + if msg is not None: + host_sock.send_msg(msg) + + +async def bridge( + bridge_id: int, dev_serial: str, logger: logging.Logger = None +) -> HandlerRet: + + logger = logger or get_logger() + logger.info( + f"Starting bridge between host socket {bridge_id} and serial {dev_serial}" + ) + + # Open interfaces + bridge_id += SOCKET_BASE + host_sock = Sock(bridge_id) + serial_port = Port(dev_serial) + + try: + while True: + poll_bridge(host_sock, serial_port) + await asyncio.sleep(0) + except KeyboardInterrupt: + logger.info("Shutting down bridge") + host_sock.close() + serial_port.close() + + logger.info("Bridge shut-down") + return b"", b"" diff --git a/ectf_tools/run.py b/ectf_tools/run.py new file mode 100644 index 0000000..01e55b4 --- /dev/null +++ b/ectf_tools/run.py @@ -0,0 +1,146 @@ +# 2023 eCTF +# Kyle Scaplen +# +# (c) 2023 The MITRE Corporation +# +# This source file is part of an example system for MITRE's 2023 Embedded +# CTF (eCTF). This code is being provided only for educational purposes for the +# 2023 MITRE eCTF competition, and may not meet MITRE standards for quality. +# Use this code at your own risk! + +import logging +from pathlib import Path + +from ectf_tools.utils import run_shell, get_logger, SOCKET_BASE +from ectf_tools.subparsers import ( + SubparserUnlockTool, + SubparserPairTool, + SubparserEnableTool, + SubparserPackageTool, +) + + +async def unlock( + name: str, + car_bridge: int, + image: str = SubparserUnlockTool.image, + logger: logging.Logger = None, +): + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"{tag} Running unlock tool") + + car_bridge += SOCKET_BASE + + ret = await run_shell( + "docker run" + " --add-host ectf-net:host-gateway" + f" -v {image}.{name}.tools.vol:/tools_out:ro" + " --workdir=/tools_out" + f" {tag} ./unlock_tool --car-bridge {car_bridge}", + logger, + ) + + stdout, stderr = ret[0] + print(stdout.decode(errors="backslashreplace")) + + logger.info(f"{tag}: Unlock tool run") + return stdout, stderr + + +async def pair( + name: str, + unpaired_fob_bridge: int, + paired_fob_bridge: int, + pair_pin: str, + image: str = SubparserPairTool.image, + logger: logging.Logger = None, +): + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"{tag} Running pair tool") + + unpaired_fob_bridge += SOCKET_BASE + paired_fob_bridge += SOCKET_BASE + + ret = await run_shell( + "docker run" + " --add-host ectf-net:host-gateway" + f" -v {image}.{name}.tools.vol:/tools_out:ro" + " --workdir=/tools_out" + f" {tag} ./pair_tool --unpaired-fob-bridge {unpaired_fob_bridge} " + f"--paired-fob-bridge {paired_fob_bridge} --pair-pin {pair_pin} ", + logger, + ) + + stdout, stderr = ret[0] + + logger.info(f"{tag}: Pair tool run") + return stdout, stderr + + +async def package( + name: str, + deployment: str, + car_id: str, + feature_number: int, + package_out: Path, + package_name: str, + image: str = SubparserPackageTool.image, + logger: logging.Logger = None, +): + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"{tag} Running package tool") + + package_out = package_out.resolve() + + ret = await run_shell( + "docker run" + " --add-host ectf-net:host-gateway" + f" -v {image}.{name}.{deployment}.secrets.vol:/secrets" + f" -v {image}.{name}.tools.vol:/tools_out:ro" + " --workdir=/tools_out" + f" -v {str(package_out)}:/package_dir" + f" {tag} ./package_tool --package-name {package_name}" + f" --car-id {car_id} --feature-number {feature_number}", + logger, + ) + + stdout, stderr = ret[0] + + logger.info(f"{tag}: Package tool run") + return stdout, stderr + + +async def enable( + name: str, + fob_bridge: int, + package_in: Path, + package_name: str, + image: str = SubparserEnableTool.image, + logger: logging.Logger = None, +): + tag = f"{image}:{name}" + logger = logger or get_logger() + logger.info(f"{tag} Running enable tool") + + package_in = package_in.resolve() + + fob_bridge += SOCKET_BASE + + ret = await run_shell( + "docker run" + " --add-host ectf-net:host-gateway" + f" -v {image}.{name}.tools.vol:/tools_out:ro" + " --workdir=/tools_out" + f" -v {str(package_in)}:/package_dir" + f" {tag} ./enable_tool --fob-bridge {fob_bridge}" + f" --package-name {package_name}", + logger, + ) + + stdout, stderr = ret[0] + + logger.info(f"{tag}: Enable tool run") + return stdout, stderr diff --git a/ectf_tools/subparsers.py b/ectf_tools/subparsers.py new file mode 100644 index 0000000..1d84bb3 --- /dev/null +++ b/ectf_tools/subparsers.py @@ -0,0 +1,159 @@ +# 2023 eCTF +# Kyle Scaplen +# +# (c) 2023 The MITRE Corporation +# +# This source file is part of an example system for MITRE's 2023 Embedded +# CTF (eCTF). This code is being provided only for educational purposes for the +# 2023 MITRE eCTF competition, and may not meet MITRE standards for quality. +# Use this code at your own risk! + +from pathlib import Path +from typing import Dict, Type + +from tap import Tap + +subparsers: Dict[str, Type[Tap]] = {} + + +class eCTFTap(Tap): + def __init_subclass__(cls, cmd: str = None, **kwargs): + super().__init_subclass__(**kwargs) + if cmd is not None: + subparsers[cmd] = cls + + +class BuildParser(eCTFTap): + design: Path # path to the design repo (likely in designs/) + name: str # tag name of the Docker image + image: str = "ectf" # name of the Docker image + + +class SubparserBuildEnv(BuildParser, cmd="build.env"): + """Build the environment""" + + docker_dir: Path = Path( + "docker_env" + ) # path to the docker env within the design repo + dockerfile: str = "build_image.Dockerfile" # name of the dockerfile + + +class SubparserBuildTools(BuildParser, cmd="build.tools"): + """Build the tools""" + + tools_in: Path = Path( + "host_tools" + ) # path to the host tools directory in the design repo + + +class SubparserBuildDepl(BuildParser, cmd="build.depl"): + """Build a deployment""" + + deployment: str # name of the deployment + depl_in: Path = Path( + "deployment" + ) # path to the deployment directory in the design repo + + +class BuildDevParser(BuildParser): + """Build a device""" + + deployment: str # name of the deployment + + +class SubparserBuildCarFobPair(BuildDevParser, cmd="build.car_fob_pair"): + """Build a car and paired fob pair""" + + car_name: str # name of the car output files + fob_name: str # name of the fob output files + car_out: Path # directory to mount to output built car to + fob_out: Path # directory to mount to output built fob to + car_id: int # ID of the car to build + pair_pin: str # car pairing PIN + car_in: Path = Path("car") # path to the car directory in the design repo + fob_in: Path = Path("fob") # path to the fob directory in the design repo + car_unlock_secret: str = "Car Unlocked" # unlock secret to put in the car EEPROM + car_feature1_secret: str = ( # feature 1 secret to put in the car EEPROM + "Feature 1 Enabled: Heated Seats" + ) + car_feature2_secret: str = ( # feature 2 secret to put in the car EEPROM + "Feature 2 Enabled: Extended Range" + ) + car_feature3_secret: str = ( # feature 3 secret to put in the car EEPROM + "Feature 3 Enabled: Valet Mode" + ) + + +class SubparserBuildFob(BuildDevParser, cmd="build.fob"): + """Build an unpaired fob""" + + fob_name: str # name of the fob output files + fob_out: Path # directory to mount to output built fob to + fob_in: Path = Path("fob") # path to the fob directory in the design repo + + +class DockerRunParser(eCTFTap): + name: str # tag name of the Docker image + image: str = "ectf" # name of the Docker image + + +class SubparserUnlockTool(DockerRunParser, cmd="run.unlock"): + """Run the unlock tool""" + + car_bridge: int + + +class SubparserPairTool(DockerRunParser, cmd="run.pair"): + """Run the pair tool""" + + unpaired_fob_bridge: int + paired_fob_bridge: int + pair_pin: str + + +class SubparserEnableTool(DockerRunParser, cmd="run.enable"): + """Run the enable tool""" + + package_in: Path + package_name: str + fob_bridge: int + + +class SubparserPackageTool(DockerRunParser, cmd="run.package"): + """Run the package tool""" + + deployment: str # name of the deployment + package_out: Path + package_name: str + car_id: str + feature_number: int + + +class SubparserDevLoadHW(eCTFTap, cmd="device.load_hw"): + """Load a firmware onto the device""" + + dev_in: Path # path to the device build directory + dev_name: str # name of the device + dev_serial: str # specify the serial port + + +class SubparserDevLoadSecHW(eCTFTap, cmd="device.load_sec_hw"): + """Load a firmware onto the secure device""" + + dev_in: Path # path to the device build directory + dev_name: str # name of the device + dev_serial: str # specify the serial port + + +class SubparserDevModeChange(eCTFTap, cmd="device.mode_change"): + """Change the mode of the secure bootloader""" + + dev1_serial: str # serial port of the first device + dev2_serial: str # serial port of the second device + + +class SubparserDevBridge(eCTFTap, cmd="device.bridge"): + """Start a serial-to-socket bridge""" + + bridge_id: int # Bridge ID to set up + dev_serial: str # serial port to open diff --git a/ectf_tools/utils.py b/ectf_tools/utils.py new file mode 100644 index 0000000..0ec34ad --- /dev/null +++ b/ectf_tools/utils.py @@ -0,0 +1,61 @@ +# 2023 eCTF +# Kyle Scaplen +# +# (c) 2023 The MITRE Corporation +# +# This source file is part of an example system for MITRE's 2023 Embedded +# CTF (eCTF). This code is being provided only for educational purposes for the +# 2023 MITRE eCTF competition, and may not meet MITRE standards for quality. +# Use this code at your own risk! + +import asyncio +import logging +from typing import Tuple, Callable, Awaitable, List + + +HandlerRet = List[Tuple[bytes, bytes]] +HandlerTy = Callable[..., Awaitable[Tuple[bytes, bytes]]] + +SOCKET_BASE = 1337 + + +class CmdFailedError(Exception): + pass + + +async def run_shell(cmd: str, logger: logging.Logger = None) -> HandlerRet: + logger = logger or logging.getLogger("eCTFLogger") + logger.debug(f"Running command {repr(cmd)}") + proc = await asyncio.create_subprocess_shell( + cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE, + ) + + stdout_raw, stderr_raw = await proc.communicate() + stdout = stdout_raw.decode(errors="backslashreplace") + stderr = stderr_raw.decode(errors="backslashreplace") + stdout_msg = f"STDOUT:\n{stdout}" if stdout else "NO STDOUT" + stderr_msg = f"STDERR:\n{stderr}" if stderr else "NO STDERR" + if proc.returncode: + logger.error(stdout_msg) + logger.error(stderr_msg) + raise CmdFailedError( + f"Tool build failed with return code {proc.returncode}", stdout, stderr + ) + logger.debug(stdout_msg) + logger.debug(stderr_msg) + return [(stdout_raw, stderr_raw)] + + +def get_logger() -> logging.Logger: + return logging.getLogger("eCTFLogger") + + +def zip_step_returns(return_list: List[HandlerRet]) -> HandlerRet: + + # A single run_shell returns a 1-length list of stream tuples + # Add all of those single elements to one list + zipped_return = return_list[0] + for ret in return_list[1:]: + zipped_return.append(ret[0]) + + return zipped_return diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..0c23674 --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,19 @@ +[build-system] +requires = ["setuptools"] +build-backend = "setuptools.build_meta" + +[tool.black] +include = '\.pyi?$' +exclude = ''' +/( + \.git + | \.hg + | \.mypy_cache + | \.tox + | \.venv + | _build + | buck-out + | build + | dist +)/ +''' diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..18e0236 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,6 @@ +flake8 +black +typed-argument-parser +docker +pyserial +rich diff --git a/setup.cfg b/setup.cfg new file mode 100644 index 0000000..df9628c --- /dev/null +++ b/setup.cfg @@ -0,0 +1,15 @@ +[metadata] +name = ectf_tools +version = 2023.1 + +[options] +packages = ectf_tools +install_requires = + docker + pyserial + typed-argument-parser + rich + +[options.entry_points] +console_scripts = + ectf_tools = ectf_tools.__main__:main